HPE Community
HPE Aruba Networking & ProVision-based
1830241 Members
7117 Online
109999 Solutions
New Discussion

Re: Switch segmentation

 
Danny_W
New Member

‎07-09-2012 11:56 AM - edited ‎07-09-2012 12:05 PM

‎07-09-2012 11:56 AM - edited ‎07-09-2012 12:05 PM

Switch segmentation

Hi Folks - Hopefully this is an easy question.  I have the current need to give a fw cluster exposure to (3) different networks - so basically it would look like this:

 

  • Network A feed + an arm from each fw = 3 ports
  • Network B feed + an arm from each fw = 3 ports
  • Network C feed + an arm from each fw = 3 ports

All ports would be gigabit copper.  Can I purchase a 24 port switch (like a 2910-24G) and segment it into groups of 3 ports - is this something a VLAN would accomplish?  Never used VLANS before, only flat networks

 

Thanks.

 

Danny

0 Kudos
3 REPLIES 3
paulgear
Esteemed Contributor

‎07-10-2012 07:17 PM

‎07-10-2012 07:17 PM

Re: Switch segmentation

Yes - that's definitely what VLANs are useful for.  Make sure you turn off ip routing in the switch (it's off by default) and set up one VLAN with 3 (untagged) ports for each.

 

Of course, there's not much point having a firewall cluster if you feed it into a single switch, so i would recommend adding another switch, setting up an LACP trunk between the switches, and feeding one firewall into each switch.  And make sure you test what happens when you lose a switch, lose a network connection, or lose a firewall.

 

I would also recommend taking some precautions for hardening the switch:

 

Regards,
Paul
0 Kudos
dave kallman
Regular Visitor

‎07-11-2012 11:03 PM

‎07-11-2012 11:03 PM

Re: Switch segmentation

Paul - Thank you for the repsonse.  I'm confused about the second switch scenerio you describe.  How can I "HA" one network feed?   If I'm taking an uplink from Network A to connect to my fw cluster,  don't i have to nail that uplink down on one switch - if i want to "HA" the connection to Network A, and eliminate a single point of failure (the switch), wouldn't I need the Network A provider to hand me off two uplinks to their network?  Am i missing something?

 

Thanks again for your help!

 

 

paulgear wrote:

Of course, there's not much point having a firewall cluster if you feed it into a single switch, so i would recommend adding another switch, setting up an LACP trunk between the switches, and feeding one firewall into each switch.  And make sure you test what happens when you lose a switch, lose a network connection, or lose a firewall.

0 Kudos
paulgear
Esteemed Contributor

‎07-11-2012 11:33 PM

‎07-11-2012 11:33 PM

Re: Switch segmentation

Hi Dave,

You're absolutely right that you can't split a single feed. But surely you have a firewall cluster because you want to guard against single points of failure? If those 3 links are 3 different ISPs, then you probably want to put one into one switch and two into another so that if you lose one switch you still have one or two of the three.

And, as you hinted, if full redundancy is important, it would be better to have two uplinks coming from each provider.
Regards,
Paul
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.